Know your legal basis and consent mechanism

Under GDPR, organisations will need to process data using one or more of the below legal basis:

  • Legal necessity
  • Vital – (such as in cases of medical emergencies or life or death)
  • Public knowledge
  • Execution of contract
  • Legitimate interest
  • Consent

So for example, a finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved house without notifying the finance company of his new address. The finance company engages a debt collection agency to find the customer and seek repayment of the debt. It discloses the customer’s personal data to the agency for this purpose. Although the customer has not consented to this disclosure, it is made for the purposes of the finance company’s legitimate interests – i.e. to recover the debt.

Consent mechanisms

Whereas before there was one consent to rule them all, GDPR requires a complete review of consent mechanisms, to make sure they meet the legislation’s new standards. If organisations cannot achieve the new, high level of consent then they must find an alternative legal basis (as listed above), or not process the data in question at all.

As such, businesses will now need to review their consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn.

The key new points are as follows:

  • Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary
  • Active opt-in: pre-ticked opt-in boxes are invalid – use unticked option boxes or similar active opt-in methods (e.g. a binary choice given equal prominence)
  • Granular: give granular options to consent separately to different types of processing wherever appropriate.
  • Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
  • Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
  • Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.

No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.


Our current ‘Ask the Experts’ GDPR report has been produced in partnership with one of our Group Companies Response One and one of our Partner organisations MyLife Digital.

Talk to us if you want to learn more. 

Back to Insights

Bench Newsletter

Register here to receive the latest Newsletter